The Hacker News — Cyber Security, Hacking, Technology News

Over the past few years, massive data breaches have become more frequent and so common that pretty much every week we heard about some organisation being hacked or hacker dumping tens of millions of users records.

But even after this wide range of data breach incidents, many organisations fail to grasp the importance of data protection, leaving its users' sensitive data vulnerable to hackers and cyber criminals.

Not now! At least for organisations in Britain, as the UK government has committed to updating and strengthening its data protection laws through a new Data Protection Bill.

The British government has warned businesses that if they fail to take measures to protect themselves adequately from cyber attacks, they could face fines of up to £17 Million (more than $22 Million), or 4% of their global turnover—whichever amount is higher.

However, the financial penalties would be a last resort, and will not be applied to those organisations taking proper security measures and assessing the risks adequately, but unfortunately become a victim of cyber attack.

The penalties would be issued by the data protection regulator, the Information Commissioner's Office (ICO).

"Our measures are designed to support businesses in their use of data and give consumers the confidence that their data is protected and those who misuse it will be held to account," Digital Minister Matt Hancock said in a government press release.

Hancock said this newly-proposed Data Protection Bill would:

Make it easier and simpler to withdraw consent for the use of personal data

Allow people to ask for their personal information held by organisations to be erased

Expand the definition of "personal data" to include IP addresses, DNA and internet cookies

Strengthen and update Data Protection Law to reflect the changing nature and scope of the country's digital economy

Make it easier and free for users to require companies to disclose the personal data they hold on them

Make it easier for users to move data between service providers

The proposal is being considered as part of a government consultation launched on Tuesday by the Department for Digital, Culture, Media and Sport for deciding how to implement the Network and Information Systems (NIS) Directive from next May.

This is separate from the General Data Protection Regulations (GDPR) that are aimed at protecting data rather than services.

The GDPR will replace the British Data Protection Act 1998 from 25 May 2018 and the government have confirmed that Brexit will not change this.

This new proposal is mainly focused on ensuring critical infrastructures, like transport, health, energy, and water are protected from cyber attacks that could result in major disruption to services, as was seen in Ukraine last year.

The proposal will also cover other cyber threats affecting IT infrastructures such as power failures, hardware failures and environmental hazards.

China has long been known for its strict censorship policies, which has already made it difficult for foreign companies to do business in the world's most populous country of more than 1.35 Billion people.

Now, the Chinese government has approved a broad new controversial cybersecurity regulations that would further strengthen the country's censorship regime, making it more difficult for technology companies to operate in the country.

Made public on Monday, the legislation, passed by China's rubber-stamp parliament and set to go into effect in June 2017, aims at combating growing threats like hacking and terrorism, but actually comes with data localization, real-name requirements, and surveillance.

The Cybersecurity Law requires instant messaging services and other internet operators to force users to register with their real names and personal information, which restricts anonymity of a user online.

The proposed law also includes requirements for 'Data Localization' that would force "critical information infrastructure operators" to store its users' data within the country's borders – the same law Russian government imposed on foreign tech companies.

Chinese Human Rights Watch (HRW) is opposing the legislation, saying that the new law doesn't include any precise definition of infrastructure operators, and will further extend government control over an already heavily monitored and censored media.

"The law will effectively put China's Internet companies, and hundreds of millions of Internet users, under greater state control," HRW's China director Sophie Richardson said in a statement over the weekend.

"Despite widespread international concern from corporations and rights advocates for more than a year, Chinese authorities pressed ahead with this restrictive law without making meaningful changes."

Moreover, the new legislation also covers some new requirements for cyber security, forcing companies to provide "technical support" to government agencies for investigations involving national security and crime and to censor contents that are "prohibited."

Although this technical support is not clearly defined in the law, experts believe that authorities could ask companies for encryption backdoors or other surveillance assistance in the name of tech support.

Under this law, companies and network operators should report "security incidents" to the government and inform consumers of data breaches.

Acts that encourages "overthrowing the socialist system," "fabricating or spreading false information to disturb economic order," and inciting "separatism or damage national unity" are categorized as criminal acts under the new law.

Such requirements have raised serious concerns for the users and companies operating in China, where the Internet and online freedom have already heavily censored by the government.